Last Login: August 03, 2020
ericalexanderorg's Contributions (14)
Stupid easy SSRF
Not enough data ATM to accurately talk risk, but there’s some concerning factors. Taking an educated guess an value & exploitability.
dom-based cross-site scripting
CVSS PR:N – No authentication required
Magento v1 just hit EOL and this patch is only v2. It’s not going to be a simple patch operation for many as they navigate dependencies from the v1 to v2 jump.
Magento put the mage in magecart – it’s a popular target
SSRF should be possible through https://vulnerable.host/avatar/redirect
That redirect is tricky since the vulnerable code is splitting on “/” and taking the last value. Need it to hit a url with a vulnerable redirect that can redirect to a metadata URL. From there it may be possible to hit the metadata url and grab STS tokens or pivot elsewhere.
Wording on this and eludes to an authenticated RCE, but they consider an anonymous user authenticated. Nexus servers store artifacts that could be altered to pivot elsewhere. This will be a high when POC surfaces, for now I’m going lower. The number of much older versions (that also have vulnerabilities) in shodan suggests many organizations are not keeping up with patching.
With a CVSS base score of 7.4 and 1.7 million code hits from a Github search, this is looking like it has potential.
XXE vulnerability in library that’s in use by over 500 projects on Github.
Not enough details to fully assess ATM but GitLab is signaling this is a high value vulnerability through: 1) Out of band critical release 2) Withholding details for 30 days (not sure they’ve ever done so).
Not enough information to accurately assess ATM. Potential to read config file or access files within git repositories. Odds are some of those repositories have secrets that can be used to pivot further.